########## ########## ########## | A GUIDE TO EFF LEGAL SERVICES
########## ########## ########## |
#### #### #### |
######## ######## ######## | EFF TESTIMONY ON DIGITAL PRIVACY
######## ######## ######## | AS GIVEN BY DAVID FARBER
#### #### #### |
########## #### #### | WHAT EFF DID ON YOUR SUMMER VACTION
########## #### #### |
=====================================================================
EFFector Online September 18, 1992 Issue 3.05
A Publication of the Electronic Frontier Foundation
ISSN 1062-9424
=====================================================================
EFF LEGAL SERVICES
by Mike Godwin
EFF Staff Counsel, Cambridge
Because the EFF has spent the last year developing and publicizing
our policy-focused efforts at our new Washington office, many of our
constituents have wondered whether EFF is still active on the
civil-liberties front. The answer to that question is an unqualified
"Yes!" This activity has been less well-publicized, however, often
because of the privacy interests of most of the people who seek EFF help
with their individual cases. I want to take this opportunity to let our
members and constituents know what kind of legal services we offer, and
what kind of casework we do.
The primary legal services I provide are basic counselling and
referrals. EFF does not charge for this, and you do not have to be an
EFF member to call or write and ask for help. I answer general questions
about computer law and telecommunications law at the federal level as
well as in the jurisdictions in which I am admitted to the bar
(currently Texas and Washington, D.C.). When appropriate, I instruct
people to seek further consultation with lawyers in their respective
jurisdictions, giving them referrals to specific lawyers when possible.
(EFF maintains a database of attorneys who've volunteered to do some
kinds of work on these kinds of cases.) I often mail out source
materials to individuals and organizations. (One of the most frequently
requested materials is the original complaint filed by Steve Jackson
Games in its lawsuit against the U.S. government--many lawyers find that
the complaint is a good primer on civil-liberties issues raised by the
search and seizure of a computer bulletin-board system.) More
frequently, I talk to people on the telephone. The kinds of questions I
deal with tend to fall into the following four general areas:
GENERAL QUESTIONS ABOUT LEGAL ISSUES
A caller may be a sysop who's been told by someone that it's against the
law to read users' e-mail, and she wants to know whether this is true.
Or it may be a user who wants to know if it's legal to upload a scanned
image of a copyrighted photograph to a BBS for downloading by other
users. Or it may be a hobbyist programmer who wonders if he may be held
liable if a computer virus he writes somehow "escapes" and infects and
damages other systems. Usually these questions are aimed at
*anticipated* legal risks (the caller wants to know ahead of time if her
actions will lead to legal trouble), but a significant number of the
calls are from people who wonder if their *current* activities are
illegal or create risks of legal liability. For example, a lot of
sysops of "pirate" BBSs have acquired the notion that they can't be held
liable for providing access to unauthorized copies of commercial
software because it's "the guy downloading the stuff who's doing the
copying"--I tell them they are mistaken and point out the legal risks of
providing such access. A small but consistent fraction of callers prefer
to remain anonymous. I respect their wishes, and try to give just as
much help to anonymous callers as to those who identify themselves.
REQUESTS FOR HELP IN CRIMINAL CASES
Basically, these types of requests fall into two categories, which I
call "target cases" and "non-target cases":
A "target case" is one in which the request is from some one
(the "target") who is very likely to become, or who has already become,
a defendant in a state or federal case. I may get the request from the
target personally, or I may get a call from the target's lawyer. (If the
target doesn't have a lawyer, my first priority is to do what I can to
help him get one. Although EFF does not normally provide funds for legal
representation in criminal cases, I can tell a caller how to go about
contacting a private defense lawyer or a public defender.) I'll ask the
caller for basic facts about the case, and, once I'm in contact with his
lawyer, I'll do what I can to help the lawyer learn the relevant law and
gather the necessary facts to prepare the case. Even the very best
defense lawyers are likely to be unfamiliar with the legal and
evidentiary issues raised by computer-crime investigations--I'm often
able to give them a running start on their case preparation. On a few
occasions, a case may raise a particularly unusual and important
civil-liberties issue, and I'll make a recommendation to EFF management
as to whether EFF should formally support the case in some way.
A "non-target case" is one in which the person asking for
assistance or advice is not an actual or prospective defendant, but her
rights or interests have somehow been affected by a criminal
investigation or by the actions of law-enforcement officials. (The
classic example is one in which a non-target sysop's BBS or networked
computer has been seized as part of an investigation of one the system's
users.) As in target cases, I may advise her lawyer, but I often can
resolve things quickly by acting directly as a representative for the
person asking for help. For example, in a recent Washington State case,
I helped a non-target negotiate a quick return of his equipment, which
federal agents had seized and searched as part of a multi-state criminal
investigation.
REQUESTS FOR HELP IN CIVIL CASES. Normally, EFF won't take sides in a
civil case unless it clearly raises an important civil-liberties issue.
One such case involved the manufacturers of a VCR-programming device who
threatened to sue individuals participating in a discussion of their
coding algorithms on the Usenet newsgroup sci.crypt. The company's
lawyer insisted that the Usenetters' efforts at figuring out the
algorithms by deducing them from the codes published in TV Guide
listings and elsewhere was a violation of their copyright, patent, and
trade-secret interests.
I researched their claim and confirmed the Usenet posters' belief
that their research did not violate any intellectual-property
protections of the manufacturers' products, and I represented their
position to the manufacturer, telling the company that the posters were
engaged in Constitutionally protected speech and inquiry. After several
convesations between me and the company's lawyer, the company dropped
its claims. (The sci.crypt posters' research was eventually published as
a paper in the journal CRYPTOLOGIA--Vol. XVI, Number 3, July 1992--in
which the authors thanked EFF for their legal assistance.)
REQUESTS FOR HELP IN SITUATIONS WHERE THERE'S NO CRIMINAL OR CIVIL CASE
This category includes situations in which, for example, a college
student has his computer-access privileges suspended because a "hacker
newsletter" is discovered by a system administrator rummaging through
the student's directory. (I've explained to more than one system
administrator that mere possession of such information does not make one
a computer intruder, and that their rummaging may have violated the
students' rights.) Or a university computer center may decide to suspend
some kinds of Usenet newsgroups, justifying their actions by saying
they're afraid the sexually oriented newsgroups are illegal. (I've
written and spoken to university administrators to explain that
virtually none of the discussions in the sexually oriented newsgroups on
Usenet qualify legally as "obscenity"--instead, they're protected
expression under established American Constitutional law.) Or a group of
sysops may be concerned about their local phone company's efforts to
impose business rates on nonprofit BBS phone lines. (I now refer most
such calls to Shari Steele, ssteele@eff.org, the staff counsel of EFF's
Washington office, who has given special study to these issues.)
In addition to individual casework: I have represented EFF's legal
services primarily on three forums--the WELL, Usenet, and CompuServe.
As a result of my presence there, I have been receiving an increasing
amount of casework, requests for legal advice, and invitations to speak.
The number of these cases has increased in response to my presence
online--it also has increased in response to my public appearances.
After the Second Computers, Freedom, and Privacy conference, for
example, I had three or four cases referred to me by people who met me
in Washington.
It is important that EFF members and constituents recognize we are
here to help you solve individual problems as well as promote your
interests on general policy issues. If you are running into a legal
problem, or if you simply have a general legal question, or even if
you're having a problem on the Electronic Frontier and you're not sure
whether or not it's a legal problem, you should call me, Mike Godwin, at
617-864-0665, or send me electronic mail at mnemonic@eff.org or at
76711,317 on CompuServe. I won't always be able to help, but I'm always
willing to listen. And I may be able to help more often than you'd
think.
-==--==--==-<>-==--==--==-
From the Univ of Wisconsin Microelectronics bulletin, Prof. F Cerrina
as the author:
"After the Microlithography '92 conference in Japan, we toured some
of the leading electronics laboratories. Our visit to Hitachi's
Central Research Lab included an amusing demonstration of the
resolution of current lithography. On a four-inch wafer, they
printed a map of the world that included the streets of London down to the
smallest alleys. It's now possible to put a fully detailed map of
the world on a six-inch wafer."
Food for thought...
(Submitted by Gary Delp )
-==--==--==-<>-==--==--==-
Following are excerpts from the testimony of Professor David Farber, a
member of the EFF Board of Directors, before the Computer Systems
Security and Privacy Advisory Board of the National Institute of
Standards and Technology (NIST) on September 16, 1992.
Mr. Chairman and Members of the Advisory Board:
My name is David Farber. I am Professor of Computer Science at the
University of Pennsylvania and a member of the Board of Directors of the
Electronic Frontier Foundation (EFF). I am here today representing only
the views of EFF. I want to thank you for inviting us to testify today
as part of your investigation.
We are pleased to be included at this early phase of the Advisory
Board's inquiry and offer a brief set of principles for proceeding with
this inquiry. First, it is essential that in examining discrete issues
such as the desirability of various cryptography standards, the Board
take a comprehensive view of what we call "digital privacy" policy as a
whole. Such a comprehensive view requires a clear vision of the
underlying civil liberties issues at stake: privacy and free speech. It
also requires looking beyond the cryptography questions raised by many
to include some of law enforcement's recent concerns about the pace of
digital infrastructure innovation. Second, for the sake of promoting
innovation and protecting civil liberties, the Board should bear in mind
the principle that computer security policy is fundamentally a concern
for domestic, civilian agencies. This principle, as articulated in the
Computer Security Act of 1987, can serve as an important guide to the
work of this Board.
A. THE GROWING IMPORTANCE OF DIGITAL PRIVACY TECHNOLOGY
With dramatic increases in reliance on digital media for
communications on the part of private individuals, government, and
corporations, the need for comprehensive protection of privacy in these
media grows. For most in this room, the point seems trite, but the
digital communications revolution (which we stand at only the very
beginning of), is the key event of which the Advisory Board should take
note. As an example, a communication which is carried on paper through
the mail system, or over the wire-based public telephone network is
relatively secure from random intrusion by others. But the same
communication carried over a cellular or other wireless communication
system, is vulnerable to being overheard by anyone who has very
inexpensive, easy-to-obtain scanning technology.
For the individual who relies on digital communications media,
reliable privacy protection cannot be achieved without the protection of
robust encryption technology. While legal restrictions on the use of
scanners or other technology which might facilitate such invasions of
privacy seem to be attractive preventative measures, these are not
lasting or comprehensive solutions. We should have a guarantee -- with
physics and mathematics, not only with laws -- that we can give
ourselves real privacy of personal communications through technical
means. Encryption strong enough that even the NSA can't break it. We
already know how to do this, but we have not made encryption technology
widely available for public use because of public policy barriers.
B. THE BOARD SHOULD UNDERTAKE A COMPREHENSIVE REVIEW OF DIGITAL PRIVACY
ISSUES
Inasmuch as digital privacy policy has broad implications for
constitutional rights of free speech and privacy, and for international
competitiveness and economic vitality in the information age, these
issues must be explored and resolved in an open, civilian policy
context. These questions are simply too important to be decided by the
national security establishment alone. This principle is central to the
Computer Security Act of 1987.1 The structure of the Act, which is the
basis for the authority of this Advisory Board, arose, in significant
part, from the concern that the national security establishment was
exercising undue control over the flow of public information and the use
of information technology.2
When considering the law in 1986, the committee asked the question,
"whether it is proper for a super-secret agency [the NSA] that operates
without public scrutiny to involve itself in domestic activities...?"
The answer was a clear no, and the authority for establish computer
security policy was vested in NIST (the NBS).
In this context, we need a robust public debate over our
government's continuing heavy-handed efforts to control commercially
developed cryptography. It is no secret that throughout the cold war
era, the Defense and State Departments and the National Security Agency
have used any and all means, including threats of prosecution, control
over research, and denial of export licenses to prevent advanced secret
coding capabilities from getting into the hands of our adversaries. NSA
does this to maximize its ability to intercept and crack all
international communications of national security interest.
Now the Cold War is over but the practice continues. In recent
years, Lotus, Microsoft, and others have developed or tried to
incorporate powerful encryption means into mass market software to
enhance the security and privacy of business, financial, and personal
communications. In an era of computer crime, sophisticated surveillance
technologies, and industrial espionage it is a laudable goal.
Although NSA does not have the authority to interfere with domestic
distribution of DSA, RSA, and other encryption packages, its licensing
stranglehold over foreign distribution has unfortunate consequences.
Domestic firms have been unable to sell competitive security and privacy
products in international markets. More important, because the cost of
producing two different products is often prohibitive, NSA policy
encourages firms to produce a single product for both domestic and
worldwide use, resulting in minimal privacy and security for users both
here and abroad.
While we all recognize that NSA has legitimate national security
concerns in the post cold war era, this is a seriously flawed process.
Foreign countries or entities who want to obtain advanced encryption
technology can purchase it through intermediaries in the United States
or from companies in a host of foreign countries who are not subject to
US export restrictions. There is a big, big hole in the national
security dike. By taking a page out of the Emperor's New Clothes, NSA
opts to act as if the process works by continuing to block export.
In order to get some improvement in mass market encryption, the
Software Publishers Association, representing Microsoft, Lotus, and
others, had to use the threat of legislation to get NSA to engage in the
negotiations that finally led NSA to agree to expedited clearance for
the export of RSA encrypting software of limited key lengths. Still, all
concede that the agreement does not go far enough and that far more
powerful third-party products are commonly available in the US,
including the fifteen-year-old US Data Encryption Standard. SPA knows
that specifying maximum key lengths offers little long-term security
given advances in computer processing power, but was willing to
compromise because of NSA's refusal to budge.
Does this kind of policy make any sense in the post Cold War era?
Mass market products offer limited security for our citizens and
businesses. Determined adversaries can obtain much more powerful
products from foreign countries or by purchasing it here in the US. Is
the NSA policy of slowing down the pace of encryption use by foreigners
and adversaries --even if demonstrable--any longer worth the significant
price we pay in terms of failing to meet our own communications privacy
and security needs? That is the policy challenge for this Board to
address by a frank, open, and inclusive public debate.
C. THE BOARD MUST ADDRESS THE DIGITAL PRIVACY ISSUE IN A COMPREHENSIVE
MANNER WHICH REQUIRES CONSIDERING THE FBI'S DIGITAL TELEPHONY PROPOSAL
AND ITS IMPLICATIONS.
The public policy debate on electronic privacy issues over the last
few years has demonstrated that a comprehensive approach to digital
privacy policy cannot be complete without examining both questions
regarding the availability of encryption technology, and the
corresponding infrastructure issues, such as those raised by the FBI's
Digital Telephony Proposal. Attempts to solve one issue without
addressing the other is an exercise in irrational policy-making and
should be avoided by this Advisory Board.
Last year, the FBI first proposed a "Sense of the Congress"
resolution stating that communications firms and computer and
communications equipment manufacturers were obligated to provide law
enforcement access to the "plain" text of all voice, data, and video
communications, including communications using software encryption. The
Electronic Frontier Foundation (EFF) played an active and leading role
both in opposing such a law and in seeking to find more acceptable means
for meeting legitimate law enforcement needs. Because of our advocacy
and coalition-building efforts with communications and privacy groups,
we were successful in persuading Senate Judiciary Chairman Joseph Biden
to remove the Sense of the Congress Resolution from active consideration
as part of Omnibus crime legislation last year.
Putting aside its attempt to control the use of encryption systems,
this year the FBI has come forward with proposed legislation that would
require telephone companies, electronic information providers, and
computer and communications equipment manufacturers to seek an FCC
"license" or Attorney General "certification" that their technologies
are susceptible to electronic surveillance. We are in danger of creating
a domestic version of the export control laws for computer and
communications technology.
While the FBI claims that neither of this year's proposals address
encryption issues, the Bureau has made it clear it plans to return to
this issue in the future. The Board needs to hear from the broad
coalition made up of telephone companies such as AT&T, computer firms
such as IBM, Sun Microsystems, and Lotus Development Corporation, and
public interest groups such as the EFF. The EFF will shortly release a
white paper representing coalition views on the need for the FBI to
explore more realistic, less vague, and potentially onerous policy
options for meeting legitimate law enforcement needs.
The resulting multi-front battle being waged about digital privacy
creates formidable roadblocks to a final resolution of the policy
disputes at issue. Those who seek greater privacy and security cannot
trust a settlement on one front, because their victory is likely to be
undermined by action on the other issue. And law enforcement and
national security concerns cannot be adequately addressed without a
sense of the overall solution being proposed on both the encryption and
infrastructure fronts. This Advisory Board can play a valuable role for
the policy process by conducting a comprehensive review of digital
privacy and security policy, with a consideration of both of these sets
of issues.
1 Pub.L.No. 100-235.
2 House Committee On Government Operations, H.R. Rep. No. 99-753,
Pt. 2, at 5.
-==--==--==-<>-==--==--==-
From "Levitating Trains and Kamikaze Genes: Technological Literacy
for the 1990's"
Describing the difference between computer hardware and software:
"Those parts of the system that you can hit with a hammer
(not advised) are called hardware; those program instructions that
you can only curse at are called software."
-==--==--==-<>-==--==--==-
WHAT EFF DID WHILE YOU WERE TANNING
You can't fool us. We saw your I'm-on-vacation bounce notices after
shipping each EFFector Online. And while you were out prematurely aging
your skin, the EFF had a busy summer.
Both Danny Weitzner of the D.C. office and Mike Godwin of the
Cambridge office took bar exams in July: Danny in New York and Mike in
Massachusetts (Mike is already a member of the Texas and D.C. bars).
Both have recovered and are waiting for their results.
CAMBRIDGE:
# Mitchell Kapor was a keynote speaker for EFF at the International
Networking Conference, 1992, in Kobe, Japan where he spoke on global
networking and the EFF's role in the creation of online communities
around the world. He also appeared before the National Association of
Regional Utility Commissions as a means of opening EFF's state by state
drive to make ISDN happen nationwide. In addition, he has, as usual,
been active in fundraising efforts for EFF within the computer industry.
# In addition to his bar exam, Mike flew to San Francisco several times
as part of the planning committee for Computers, Freedom, and Privacy
III; chaired two meetings of the Massachusetts Computer Crime Council;
assisted counsel for several federal computer crime cases under
indictment; and fielded many, many legal questions on the phone and
online.
# The publications department (Gerard Van der Leun and Rita Rouvalis)
produced a full line of pamphlets, white papers, bumper stickers, and
information disks in addition to several issues of EFFector Online and
@eff.org; staffed booths at ONE BBSCon and IBECC '92 in Denver, Colorado
in August; and laid the groundwork on such projects as The EFF Guide to
Cyberspace and the upcoming EFFECTOR3 magazine.
# EFF Tech (Chris Davis and Helen Rose) upgraded the Washington, D.C.
office's connection to the Internet from a dialup SLIP connection to a
56K leased line; reorganized the anonymous FTP archives for faster and
easier access to the EFF's online documents; began a series of
Postscript versions of EFF documents with about-eff; and made
arrangements to appear on a panel discussing the Internet and the
National Public Network in New York City in late September.
WASHINGTON D.C.:
# Jerry Berman appeared before American Bar Association Conference in
San Francisco on the Panel on Virtual Reality and Future Network Policy;
appeared before Computer Systems Policy Project in Massachusetts to
discuss Open Platform Initiative of the EFF; was on a panel that briefed
the City Council and Mayor of Seattle. He arranged for many computer and
communications firms to sign the EFF-drafted White Paper opposing FBI
digital Telephony proposal to be released September 16 in D.C. He also,
with the aid of the Washington staff, pulled together the second meeting
of the Communications Policy Forum under EFF auspices to discuss the
NSF's draft solicitation on the Internet and NREN.
# Danny Weitzner drafted Open Platform amendments, making narrowband
ISDN deployment a national policy, for Rep. Ed Markey's latest
telecommunications regulation bill; was elected Chair of the Public
Policy and Strategy committee of the North American ISDN Users' Forum;
and initiated a plan to take the Open Platform initiative to state
public utility commissions in order to ensure reasonably priced ISDN
service in the states.
# Andrew Blau testified at Colorado PUC on making ISDN available to
residential subscribers; met with Executive Leadership of NCSL's Task
Force on Info Policy; spoke at National Federation of Local Cable
Programmers' Annual Convention on Video Dialtone, "Electronic
Frontiers", and Community Communications Coalitions; was a panelist on
"Government Initiatives to Promote Public Data Networks"; met with
disability rights activists, seniors, and others about meeting their
future telecommunications needs; and documented uses/application of ISDN
technology in small business, education, health and other settings.
# Shari Steele made presentations on the EFF, our National Public
Network proposal, electronic democracy and BBSs being charged business
telephone rates at ONE BBSCon and IBECC; began writing a monthly legal
column for BBS Callers Digest; and made presentations on the EFF to the
Capital Area SysOps Association (CASA) and a course on Computers,
Freedom and Privacy at the George Washington University.
-==--==--==-<>-==--==--==-
MEMBERSHIP IN THE ELECTRONIC FRONTIER FOUNDATION
If you support our goals and our work, you can show that support by
becoming a member now. Members receive our magazine, EFFECTOR, our bi-
weekly electronic newsletter, EFFector Online, the @eff.org newsletter
and special releases and other notices on our activities. But because
we believe that support should be freely given, you can receive these
things even if you do not elect to become a member.
Our memberships are $20.00 per year for students, $40.00 per year for
regular members. You may, of course, donate more if you wish.
Our privacy policy: The Electronic Frontier Foundation will never, under
any circumstances, sell any part of its membership list. We will, from
time to time, share this list with other non-profit organizations whose
work we determine to be in line with our goals. If you do not grant
explicit permission, we assume that you do not wish your membership
disclosed to any group for any reason.
---------------- EFF MEMBERSHIP FORM ---------------
Mail to: The Electronic Frontier Foundation, Inc.
155 Second St. #35
Cambridge, MA 02141
I wish to become a member of the EFF I enclose:$__________
$20.00 (student or low income membership)
$40.00 (regular membership)
$100.00(Corporate or company membership.
This allows any organization to
become a member of EFF. It allows
such an organization, if it wishes
to designate up to five individuals
within the organization as members.)
I enclose an additional donation of $
Name:
Organization:
Address:
City or Town:
State: Zip: Phone:( ) (optional)
FAX:( ) (optional)
Email address:
I enclose a check [ ] .
Please charge my membership in the amount of $
to my Mastercard [ ] Visa [ ] American Express [ ]
Number:
Expiration date:
Signature:
Date:
I hereby grant permission to the EFF to share my name with
other non-profit groups from time to time as it deems
appropriate [ ] .
Initials:
Your membership/donation is fully tax deductible.
=====================================================================
EFFector Online is published by
The Electronic Frontier Foundation
155 Second Street, Cambridge MA 02141
Phone: +1 617 864 0665 FAX: +1 617 864 0866
Internet Address: eff@eff.org
Reproduction of this publication in electronic media is encouraged
To reproduce signed articles individually,
please contact the authors for their express permission.
=====================================================================
This newsletter is printed on 100% recycled electrons.